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[57] ABSTRACT 

A security system 31 for use with a base computer sys- 
tem 29 includes an access monitoring unit 100 for con- 
tinuously monitoring all operations in the memory ad- 
dress space, the input/output address space, or both, of 
the base computer 1 in parallel with base computer 
execution. The access monitoring system 100 can in- 
clude access monitoring memory tables which specify, 
for a given user, his read access and write access to data 
stored in the security system, in the base computer sys- 
tem or both. 
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ware, the AMU provides the hardware/software means 

SYSTEM FOR PROVIDING HIGH SECURITY FOR to make any computer system secure. 

PERSONAL COMPUTERS AND WORKSTATIONS The AMU monitors all processor cycles to the base 

computer memory or I/O addresses. In preferred em- 

FIELD OF THE INVENTION 5 bodiments, monitoring takes place at two levels of gran- 

This invention relates to security systems that are ularity. The AMU divides a base computer address 

adapted for use with conventional computer systems s P ace int0 P a 6es. Each page can be monitored for any 

such as the IBM PC/AT compatible systems and that combination of read or write access or it may be moni- 

provide a high level of security for the user. More spe- tored witn a protection map. Protection maps further 

cifically t this invention relates to certain hardware and 10 divide a P a S e mi0 words wnich can be individually 

software for making a secure computer system. monitored for read or write access. The security soft- 

ware loads the access monitor memory with the data 

DESCRIPTION OF RELATED ART wn i c h specifies the objects, or memory locations, which 

Before now, computer systems requiring security for m accessible to the present user, 
the data used in a computer had to be placed inside a Tne AMU switches from treating the base computer 
locked room, requiring a user to leave his office and *>vs memory as one large address space for user pro- 
isolate himself inside the room, thus decreasing his pro- grams to one of a number of selectable address spaces, 
ductivity. Alternatively, special secure processors used Selectable address spaces are used to provide distin- 
control software to secure data and programs. These S u * sned domains in the base computer for execution of 
processors suffered severe performance degradation, trusted subjects, i.e. subjects having a specific level of 
increasing costs and decreasing usage of such systems. sensitivity. 

A need has developed for a computer security system Electrically, the AMU is located between the base 

that need not be locked in a separate room, which pro- computer CPU chip and the base computer memory 

vides equivalent performance and improved user pro- 25 control, bus, and support logic. In the preferred em- 

ductivity. bodiment, the AMU hardware is located on the base 

Typical computer system architectures allow the user computer CPU board. The AMU may be connected to 

processor unlimited access to data stored in memory or an external security computer for execution of the secu- 

peripheral devices. Attempts at making a personal com- rity software. 

puter secure have included adding software and using 30 This system has many advantages. No data passes 
'custom' secured architectures. Software security mea- over the base computer bus unless the base computer is 
sures are often circumvented by bypassing or patching being operated by an identified user with access to the 
the security software. Prior hardware security measures requested data. Users who change or damage the base 
have been incompatible with standard computer archi- computer software portions of the security system still 
tecture. The hardware security device of this invention, 35 have no access to secure data since the security system 
the Access Monitoring Unit (AMU), provides means validates all requests against an identified user even if 
for converting any general purpose personal computer, the request originates from untrusted subjects, 
such as an IBM -AT, into a secure computer system. The software components of a security system suit- 
In secure computer systems, computer memory is able for controlling an AMU might include: (a) security 
treated in different ways based upon the function of its 40 policy enforcing programs; and (b) access monitoring 
contents. In this context, a "subject" is memory contain- unit control programs. The software components can 
ing an active entity such as a program or device driver. operate in an external security computer to provide 
The execution of a program or of a device driver causes performance equivalent to an unmodified computer, 
information to flow among objects or changes the sys- In preferred embodiments of the security software, 
tern state. An "object" is memory containing a passive 45 the security policy enforcing software audits security- 
entity such as a data base or a word processing file. relevant activities, maintains an auditable event table, 
Access to an object by a subject means that the subjects and writes audit blocks to media in the security system, 
instructions can use and/or change the data in the ob- These tables and logs are maintained on storage devices 
ject. as files. The security policy software also provides Dis- 
A domain is the unique context in which a program is 50 cretionary Access Control functions, Mandatory Ac- 
operating, i.e. the set of objects that a subject can poten- cess Control Functions and type enforcement functions, 
tially access. The security policy enforcing software may also pro- 

Q7T ww APV 0 rr tup txrwtMTirkxi vide a labelin g printer function to create hard copy 

SUMMARY OF THE INVENTION outpm containing proper , abe i ing . a trust ^ 

This invention provides a security system which 55 path function to interact with the user for performing 

adapts a conventional base computer system for high trusted path operations such as log-in and log-out; and 

security use by addition of hardware and software. The session manager functions providing control over a user 

hardware adds an access monitoring unit which contin- session. 

uously monitors all operations of the base computer The access monitoring unit software provides two 

CPU. The access monitoring unit specifies, for a given 60 functions, namely, object and subject map allocation, 

user, his read access and his write access to data stored which determine the contents of the access memory; 

in the system at that instant. and an interface function for controlling the AMU. 

Functionally, the AMU intervenes between the base _„__ T __ T _ KT 

computer processor chip and the rest of the base CPU BRIEF DESCRIPTION OF THE DRAWINGS 

card. The AMU acts as a bridge between the user pro- 65 This invention can better be understood by reference 

cesser and other hardware in the system. The AMU to the drawings, in which: 

monitors all traffic, i.e. all user accesses to and from the FIG. 1 shows an embodiment in block diagram form 

base computer. In combination with the security soft- of a security system utilizing the AMU of this invention; 
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FIG. 2 consisting of 2 A and 2B, shows an embodi- 
ment of look-up tables in the access monitor memory 
that forms part of the AMU of this invention; 

FIG. 3 shows a block diagram of the software com- 
ponents for a preferred embodiment of the security 
computer system of this invention; and 

FIG. 4 shows a block diagram of the software com- 
ponents for a preferred embodiment of a base computer 
system with which the AMU and security computer 
system of this invention can be used. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Referring to FIG. 1, base computer 29 is an IBM 
AT-type personal computer (PC), with conventional 
support logic 4 and memory 30. 

Access monitoring unit 100 is linked to base com- 
puter CPU chip 1 via path 3. Typical support logic 4 
may include ROM, clock circuitry, and general proces- 
sor support logic. A port for keyboard 25 is also in- 
cluded in base CPU card 27. 

AMU 100 provides for a known number, here 16 
megabytes, of monitoring space, covering all locations 
in the memory map for 80386 chip 1. Monitoring takes 
place at two levels of granularity. The AMU divides the 
16-megabyte CPU address base into a known number, 
here 4.096, of pages which results in pages of 4 kilobytes 
each. Each page can be monitored for any combination 
of read or write access, or the page can be monitored 
with a protection map. Protection maps further divide a 
page into a known number, here 1,024 long words, 
providing read and write access control to these 32-bit 
long words. 

The access monitor circuit is located between the 
80386 chip 1 and its support logic 4 and bus 26, assuring 
an unbypassable reference monitor. FIG. 2 A shows the 
AMU block diagram. FIG. 2B shows a flow chart de- 
piction of the decision-making algorithms executed by 
the AMU. A: For every memory cycle executed by the 
80386 chip 1, the subject register 201 provides control 
of the operating mode of the access monitoring unit. B: 
When the user/subject bit, 202, is true, the user page 
extension part 203 of the processor's address 204 is 
substituted with the subject ID bits 205 of the subject 
register 201 on the subject identification lines 206. C: 
The subject identification lines 206 and the page number 
part 207 of the processor's address 204 are used to ac- 
cess the object mapping RAM 208. The contents of the 
object mapping RAM 208, having been previously set 
by the access control software, define: in the first bit 209 
whether or not a protection map is used; in the next two 
bits 210 page read and write access enable lines if no 
protection map is used; and, in the remaining bits 211, a 
protection map number, if a protection map is used. D: 
The protection map number 211 and the quad index part 
212 of the processor's address 204 are used to access the 
protection map RAM 213. The contents of the protec- 
tion map RAM 213, having been previously set by the 
access control software, define four sets of read and 
write access enable lines 214 which are decoded by the 
decoder 220 using the long word access part 218 of the 
processor's address 204 to produce the word access bits 
219. E: If the protection map used bit 209 is FALSE, F: 
the least access circuitry 215 uses the logic signal ap- 
pearing on the page read and write access enable lines 
210 to drive outputs 216 and 217, G: otherwise the least 
access circuit 215 uses the word access bits 219 to drive 
outputs 216 and 217. H: If the memory cycle is a read 



cycle and the signal on the read OK line 216 is not true, 
then the cycle is aborted. I: If the memory cycle is a 
write cycle, and the signal on the write OK line 217 is 
not true, then the cycle is aborted. 

5 The embodiment of the AMU shown in FIG. 2A can 
be modified to accommodate any size processor (8-bit, 
32-bit, or wider). Additionally, the mapping table sizes 
can be modified as needed. It is also feasible to have the 
AMU table sizes dynamically allocated by means of 

10 control circuitry or software. 

The security system utilizes software in a client-' 
/server relationship. The base computer makes requests 
of the security software. The security software then 
services these requests and conveys the results to the 

15 base computer. From the base computer standpoint, the 
security software functions like a disk device subsystem. 

The base computer system can, in preferred embodi- 
ments, use MS-DOS, O/S 2 or UNIX operating sys- 
tems. Conventional operating system functions are pres- 

20 ented with a security system-emulated operating system 
compatible file system. In preferred embodiments, other 
utility programs are provided for managing and display- 
ing the security system's object attributes maintained by 
the security system. 

25 The software in the security system includes two 
components, namely, security policy enforcing soft- 
ware and access control software. 

The base computer software outside the security 
system includes operating system interface programs, 

30 utility programs, and user operating systems and appli- 
cations. 

FIG. 3 shows an overview of the security system 
software components. The executive software 301 pro- 
vides a platform upon which the subjects of the system 

35 can execute. The executive software isolates the secu- 
rity system subjects from the hardware, and provides 
basic operating system services such as multi-tasking, 
intertask communication, memory management, inter- 
rupt dispatching, and fault handling. 

40 Base computer programs can be considered separate 
subjects, or the entire base computer can be considered 
as one large subject. Each base computer subject oper- 
ates in one of the 16 selectable address spaces provided 
by the access monitoring unit (AMU). The subject man- 

45 ager 302 controls the allocation of addressed spaces to 
subjects and the switching between address spaces as 
needed to execute the user application. 

Objects are uniquely identified. The identifiers used 
to locate the object are global object table 303 (GOT) 

50 entries, which contain the access information for the 
object. For file system objects, the GOT is stored on 
suitable media, with a cache 304 of such entries kept in 
security computer memory by the object manager 305. 
For memory objects, GOT entries are created dynami- 

55 cally and placed in the GOT cache 304 by the object 
manager 305. The entries are not removed from the 
cache during the lifetime of the object, since memory 
object GOT entries have no disk-resident counterpart. 
To illustrate how AMU tables are updated, consider 

60 that, when an existing object is referenced, the security 
enforcing functions use the GOT access information 
303 provided by the object manager 305 via the execu- 
tive 301 to determine what access to grant. When a new 
object is created, this access information defaults so that 

65 the creating subject has full access, and other subjects 
have no access. When an object is destroyed, its con- 
tents and associated GOT 303 entry are overridden to 
preclude reuse by a subsequent object creation. The 
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object manager 305 is invoked by the base computer utive 301 interrupt dispatcher. Request messages are 

request dispatcher 306 through the executive 301 when converted to AMU look-up table values or control 
the base subject performs operations to the interface register values and sent to the AMU 321. Interrupt 

card 307/5. messages are converted into attention messages and sent 

The security policy enforcing software 350 includes 5 to the first function 321. 

several functions. The audit function 354, for example, FIG. 4 shows an overview of the base computer 

provides a single point for auditing security-relevant software components. The operating system interface 

actions, and maintains an auditable event table 355 and software 400 provides the base computer with access to 

writes audit blocks 356 to suitable media. The auditable security system services in a manner transparent to user 

event table and audit logs are kept on the storage de- 10 programs 450 operating on the base computer. This 

vices as files. These files are written automatically so interface is provided at the basic input/output service 

that a write to the audit log always performs a device and at the device driver level, and insures that user 

output, programs 450 can operate in this security system with- 

The Discretionary Access Control function 352 pro- out modification, 

vides a single point for determining access rights based 15 The base computer operating system interface soft- 

on access control lists; This function 352 maintains a ware 400 includes several functions. The base computer 

cache of access control list data 357 for the most re- BIOS (basic input/output system) extensions 401 mod- 

cently used objects. When it receives a request for dis- ify the standard BIOS 402 such that base computer calls 

cretionary access control rights of a subject to an object to BIOS functions are translated into requests to the 

not in the discretionary access control function it gets 20 security system for the required service. In the pre- 

the data from the object manager 305 via the executive ferred embodiment, the BIOS 402 used for the system is 

• based on the standard portable BIOS provided by Mi- 

The Mandatory Access Control function (MAC) 351 crosoft under license. Extensions to this BIOS 401 are 

provides a single point for determining access rights primarily in the boot-up and storage device access rou- 

based on security levels, and maintains a cache of secu- 25 tines. The BIOS routines 401/402 are used by both 

rity level data 358 for the most recently used objects, operating system 440 and application programs 450 

When MAC control 351 receives a request for the used on the base computer. 

rights of a subject to an object not in the cache, the The base computer installable device drivers 403 are 

function 351 gets the data from the object manager 305 used to present an operating system compatible inter- 

via the executive 301. 30 face to devices actually controlled by the security sys- 

The type enforcement function 353 provides a single tern. There are several such devices. The port driver 

point for determining access rights based on domains 405 is the only base computer software that interacts 

and types, and maintains a cache of type data 35? for the directly with the security system. The port driver 405 

most recently used objects. When this function 353 passes service requests from the base software 440 or 

receives requests for type enforcement rights of a sub- 35 401 to the security system computer via the dual-port 

ject to an object not in the cache, the type enforcement mailbox memory 406 provided in the base computer to 

function 351 gets the data from the object manager via the security system interface card 5. When the request 

the executive 301. completes, status is returned by the port driver 405 to 

The access control software 320 provides the hard- the requesting program 440 or 401. The port driver 403 

ware referencing monitor functions of the system, and is 40 provides a single consistent interface to the security 

responsible for configuring the AMU hardware system for use by the BIOS extensions 401 and other 

325/102 based on subject and object activity. The ac- installable device drives 403. 

cess control software includes three functions. The first Hard disk drivers 407 provide the standard disk drive 

function 321 controls operation of AMU hardware devices used by base computer programs 440/450. 

325/102, and is invoked by messages from the subject 45 These device drivers present the operating system 440 

manager 302 describing the currently active subject, or with the expected disk device interface used by MS- 

by illegal reference messages from the AMU 325/102. DOS. These drivers 407 translate all disk I/O requests 

When a new subject becomes active, the first function from the base computer into security system service 

loads the look-up tables and control registers of the requests. These requests are passed to the security sys- 

AMU hardware 325/102. These values describe the 50 tern via the port device driver 405. 

address base restrictions imposed on the current subject. The red floppy disk driver 409 provides access to a 

If the current subject causes an illegal reference to be disk device directly connected to the base computer, 

detected by the AMU hardware 325/102, the first func- Data written to this floppy device is not encrypted. This 

tion 321 asks the subject manager 302 to destroy the device driver 409 operates identically to any standard 

current base subject and create a new one. 55 floppy disk driver 404, except that the disk input/output 

The object and subject map allocated determines the request is passed to the security system for validation 
contents of each AMU segment and page-mapping ta- and auditing. If the security system determines that the 
ble. The map manager 322 performs the function of request is allowable, the red floppy driver 409 will en- 
assigning maps. When a base computer performs a con- able the red floppy disk-write circuit, 
text switch to another subject, the map allocated either 60 The printer driver 408 provides the base computer 
selects the proper map tables from those already loaded with a standard printer device interface. Data sent to 
into the mapping tables, or the second function 322 this printer device is passed to the security system for 
reloads the mapping tables to reflect the new base com- printing. The security system printer 330 adds sensitiv- 
puter memory configuration. ity labels to the data before printing the data. 

The third function 32 is responsible for control of the 65 The base computer utility programs 420 are those 

access monitor memory. This controller 323 is invoked normally supplied with the operating system that re- 

by load and control messages from the first function 321 quires changes to operate correctly with the security 

or by interrupt messages from the security system exec- system. For example, in the preferred embodiment, • 
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DEVICE 421 is a system configuration command used 
to load device drivers. When a driver is loaded, the 
security system is notified. If access is granted, the 
driver is loaded and treated as a separate subject. 
What is claimed is: 5 

1. A security system for use with a computer system 
having a processing unit and memory comprising: 

an access monitor unit connected between the pro- 
cessing unit and the memory of said computer 
system for continuously monitoring all operations 
between the memory and the processing unit of the 
computer system; 

security means for controlling the operation of said 
access monitoring unit to allow or deny access to J5 
the memory by the processing unit based on prede- 
fined security conditions; and 

security computer means communicating with said 
access monitoring unit for implementing said secu- 
rity means and controlling said access monitoring 2 q 
unit. 

2. The security system of claim 1 wherein said access 
monitoring unit includes access monitor memory tables 
which specify, for a given user, his read access and 
write access to data stored in the computer system. 25 

3. The security system of claim 1 wherein said secu- 
rity computer means includes means for associating, 
with each data subject or object within the memory, 
data specifying an authorized user. 

4. The security system of claim 1 wherein said secu- 30 
rity computer means is remotely located from said com- 
puter system. 



8 



5. A security system for use with a computer having 
a processing unit, memory and a plurality of input/out- 
put device drivers comprising access monitoring means 
for continuously monitoring all operations between the 
processing unit and the memory, as well as between the 
processing unit and the input/output device drivers of 
the computer; 

wherein said access monitoring means comprises an 
access monitoring unit connected between said 
processing unit and said memory and said input - 
/output device drivers; and 

security means for controlling the operation of said 
access monitoring unit to allow or deny access by 
the processing unit to the memory or input/output 
device drivers based on predefined security condi- 
tions; and 

further comprising security computer means commu- 
nicating with said access monitoring unit for imple- 
menting said security means and controlling said 
access monitoring unit. 

6. The security system of claim 5 wherein said access 
monitoring unit includes access monitor memory tables 
which specify, for a given user, his read access and 
write access to data stored in the computer system. 

7. The security system of claim 5 wherein said secu- 
rity computer means includes means for associating, 
with each data subject or object within the memory, 
data specifying an authorized user. 

8. The security system of claim 5 wherein said secu- 
rity computer means is isolated from said computer 
system. 
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